Vein Authentication Beaten – Hackers Have Designed a Fake Wax Hand To Beat It

Biometric security is
the buzz-word today. It’s everywhere and is being increasingly adapted in the
mainstream. From fingerprint sensors in your phone, to the FaceID in iPhones –
everything is a biometric measure.

Researchers around the
world continuously develop more and more intricate biometric solutions that can
help authenticate personnel in a more secure and stable manner. Vein Authentication is one such measure
– it works by scanning the hand of a person and determining the shapes,
positions and sizes of his or her veins, under the skin of the hand. Since
these factors have a very low probability of being the exact same in two
people, this was touted as a high security measure.

Advertisement

Until hackers beat it…

At the Chaos
Communication Congress, which is a hackers’ conference, organized in Germany
every year – two hackers revealed to the visitors how they beat the system
using a modified camera and a hand replica built out of wax.

Jan Krissler, more
famously known by his handle starbug, along
with Julian Albrect modified an SLR camera by removing the infrared filters, so
as to better access the vein pattern and took pictures of a hand. They took
around 2500 pictures, and then built a replica hand out of wax, referencing
these images.

Their replica wax hand
was able to successfully bypass the Vein sensors – which came as a shock to a
lot of the visitors.

Globally used Authentication System

Vein Sensors based
authentication is being increasingly adapted by various companies and
government agencies around the world. A recent report stated that even the BND,
the German intelligence agency had implemented vein authentication at its
headquarters.

Just so we are clear –

The hackers claim that taking a picture from as far as 5 meters was enough to build a replica model.

However, something
like this would require very specific skills and would be very hard for the
everyday person to replicate. While the hackers’ worked in a controlled
environment and were able to make multiple tests without having to worry about
being locked out, traditional vein authentication systems cannot be so easily
brute-forced.

While other biometric
systems like fingerprints scanners are notorious for being able to be easily
bypassed by lifting fingerprints of a user from some other surface. Defeating
vein authentication would require a lot of access to a user’s hand along with
excellent modelling skills. Even then, there’s a high chance the output may not
work.